\documentclass[11pt]{article}
%% \topmargin -1.5cm        % read Lamport p.163
%% \oddsidemargin -0.04cm   % read Lamport p.163
%% \evensidemargin -0.04cm  % same as oddsidemargin but for left-hand pages
%% \textwidth 16.59cm
%% \textheight 21.94cm 
%% %\pagestyle{empty}       % Uncomment if don't want page numbers
\parskip 7.2pt           % sets spacing between paragraphs
%% %\renewcommand{\baselinestretch}{1.5} % Uncomment for 1.5 spacing between lines
\parindent 0pt		 % sets leading space for paragraphs

\usepackage{fullpage}
\usepackage{listings} % For source code
\usepackage[usenames,dvipsnames]{color} % For colors and names
\usepackage[pdftex]{graphicx}
\usepackage{subfigure}

\definecolor{mygrey}{gray}{.96} % Light Grey
\lstset{ 
        language=bash,
        tabsize=3,                                                     
        basicstyle=\tiny,               
        numbers=left,                   
        numberstyle=\tiny,              
        stepnumber=2,                   
        numbersep=5pt,                  
        backgroundcolor=\color{white}, 
        showspaces=false,              
        showstringspaces=false,        
        %showtabs=false,                
        frame=single,                    
        tabsize=3,                          
        captionpos=b,                   
        breaklines=true,                
        breakatwhitespace=false,        
        %escapeinside={\%*}{*)},        
        commentstyle=\color{BrickRed}   
}

\title{Northeastern University \\
  Department of Computer and Information Science \\
  - \\
  CS4740 \\
  Local Exploits Lab}
\date{\today}
\author{
  Instructor: Guevara Noubir \\
  TA: Aldo Cassola \\
  - \\
  Team 19: \\
  Paul Ozog, Andrew Lai, Saumitro Dasgupta  \\
}

\begin{document}

\begin{titlepage}
  \maketitle
  \thispagestyle{empty}
\end{titlepage}

%\tableofcontents

\section{Team Member Contributions}
\begin{itemize}
\item Paul Ozog was the primary author of this report and conceived the race condition attack.
\item Andrew and Saumitro's were available for conceptual help for the ``End of Lab'' questions.
\end{itemize}

\section{File Race Condition}
For the first section of this lab, we exploited the File Race Condition.  It basically involved three steps:

\begin{enumerate}
\item Feed {\bf find-suid} a non-priveledge user's exploit script (see {\bf Section \ref{exploit.sh} - exploit.sh}) by setting the setuid bit
\item Create a symbolic link called /tmp/find-suid.log that points to /root/bin/find-suid {\it in between} executions of the crontab job to run {\bf find-suid}}
\item Modify {\bf exploit.sh} to your heart's content.  
\end{enumerate}

For our purposes, we wished to add the non-priveledged user to the group {\bf admin} so that the sudoers file would allow the non-priveledged user the ability to run all commands on the machine as root.

\subsection{The Exploit Procedure in Detail}
\label{exploit}
The permissions were set on {\bf exploit.sh} as follows:

\texttt{
  \$ chmod u+s exploit.sh \newline
  -rwsr-xr-x 1 pjozog pjozog  58 2010-02-14 20:56 exploit.sh \newline
}

Therefore, the output of the {\bf find} command in find-suid simply became:

\texttt{
  /home/pjozog/labs/local-exploits/exploit.sh \newline
}

We created a symbolic link in /tmp:

\texttt{
\$ cd /tmp;
ln -s /root/bin/find-suid find-suid.log \newline
}

So the output of the {\bf find} command was redirected to link in /tmp, which points to /root/bin/find-suid. 

\texttt{
  lrwxrwxrwx 1 pjozog pjozog   19 2010-02-14 21:34 find-suid.log -> /root/bin/find-suid
}

In short, the find-suid script was rewritten to call /home/pjozog/labs/local-exploits/exploit.sh.  So the next time the crontab ran, it actually ran {\bf exploit.sh} as root!

\subsection{exploit.sh}
\label{exploit.sh}
This script simply adds a non-priveledged user to the {\bf admin} group, allowing him/her root-level access to all programs running on the machine.

\texttt{
  \lstinputlisting{exploit.sh}
}

\section{Rootkit Techniques \& Common Rootkits}
Attached is the output of {\bf rkhunter} version 1.3.6 after running on our Linux router.  Note that this output does not say why a check gives a \texttt{Warning}, but this information is provided in the log file /var/log/rkhunter.log.  We did not include this file in our report because it is extremely long.

\texttt{
  \lstinputlisting{rkhunter.txt}
}

\section{Password Sniffing}
\label{PasswordSniffing}
Here is the Authorization packet sniffed from the Windows server using {\bf tshark}:
\texttt{
  \lstinputlisting{auth.packet}
}

Notice the end of the packet, which contains an unencrypted username:password field encoded in Base64:
\begin{verbatim}
$ echo c21pdGguajpiYWRwYXNzd29yZA== | openssl base64 -d
smith.j:badpassword
\end{verbatim}

Clearly then, the username is \texttt{smith.j} and the password is \texttt{badpassword}.

\section{Responses to End of Lab Questions}
1. See {\bf Section {\ref{exploit}}}

2. We studied the case of the Honeypot Project using a Solaris 2.6 system.  The administrator used an open-source Intrusion Detection System (IDS) called {\bf snort} to detect a known buffer-overflow vulnerability of Solaris 2.6, which grants an intruder root-level access.  To monitor the activities of the intruder(s), the administrator used a combination of monitoring console commands and an IRC bot that recorded conversations between two ``l33t hax0rs.''

It's clear the rootkit used by the system was user-level and hidden in a sneakily-named directory: ``/dev/.. `` (note the space following ``..'').  It not only attempted to clean up traces of the intrusion, it also secured the system so no other intruders can enjoy the ``kill.''

3. See {\bf Section {\ref{PasswordSniffing}}}

4. IMAP and FTP are two well known protocols that send unencrypted authentication information, and thus are vulnerable to the same sort of sniffing as done in this lab. 

5. Though it's tempting to say this fixes the problem, the race condition is still applicable because there is still a chance the malicious symbolic link can be created in between the ``\texttt{rm -fr \$TMP\_FILE}'' command and the ``\texttt{find}'' command.  So our attack would use something like the following to continuously create the malicious link, in the hopes that it will be created after the temporary file is removed, but before the ``find'' command in {\bf find-suid}  :
\begin{verbatim}
while [ 1 ]; do
   ln -sf /tmp/find-suid.log /root/bin/find-suid
done
\end{verbatim}

The easiest way to fix {\bf find-suid} is to use a temporary directory that is writable only to root for the creation of temporary log files (such as /root/tmp).

6. Two false positives are characterized by the ``hidden files and directories'' warning.  This warning is tripped by the existence of /etc/.udev and /etc/.initramfs, which are created every time the system boots.  Their existence is unavoidable.  

Also, the rootkit string ``hdparm'' in /etc/init.d/checkroot.sh is clearly a false positive - this string is only in the comments and isn't executed by the script under scrutiny.  

Almost all of the other warnings are due to the ``replacing'' of ELF executables with text scripts (Bourne, BASH, perl, etc.).  A cautious admin should investigate all of these warnings, but for our setup, these scripts (\texttt{ldd, which, groups}, etc.) are included with Ubuntu by default.

\end{document}
